Technology News, Technology News feeds, Technology News blogs - Information 4 u
A look at how technology is changing our lives and the people behind all that life-changing stuff.

May 19, 2000
Web posted at: 8:16 a.m. EDT (1216 GMT)

SANTA CLARA, California (CNN) -- A new strain of computer virus written in the same computer programming language as the "Love Bug" virus has struck several U.S.-based multinational companies, according to computer experts.

The new strain is called "VBS/NewLove.a," by McAfee, an anti-virus firm. At one company, 5,000 computers were infected, according to Dave Perry, spokesman at the anti-virus software company Trend Micro Inc. in Cupertino, California.

The virus apparently began spreading on Thursday. Some virus experts say it could be more dangerous than the "Love Bug" virus, if it becomes widespread.

Early Friday, anti-virus experts were watching to see whether companies in Asia are affected.

Some computer experts advise home and individual Microsoft Outlook users not to open forwarded messages containing attachments.

Eddy Hsia, director of engineering for McAfee, in Santa Clara, California, told CNN that his company had issued a "high threat" warning about the virus.

He said VBS/NewLove.a "could easily cause rampant damage" and would not necessarily be detected by the same anti-virus devices that caught "Love Bug."

Hsia said McAfee updated its detection equipment on Thursday, within two hours of detecting the new virus, and he urged companies to update their virus scanners as soon as possible.

He said new attachments to an e-mail -- the way in which the virus arrives -- should not be opened, especially if they are from people who have not been heard from for a while.

Hsia said it is too early to detect the source of the new strain.

Virus changes subject and copy on each infection

The VBS/NewLove.a virus, or worm, spreads when a user opens an attachment in Microsoft Outlook e-mail. The subject line of an infected e-mail starts with "FW:" and includes the name of a randomly chosen attachment from a previous e-mail on an infected computer.

The infected e-mail has an attachment with the same name, but ending in ".vbs." VBS stands for VisualBasic, the programming language in which it is written. "Love Bug," too, was written in VisualBasic.

Like "Love Bug" the virus can send itself to everybody in the user's address book. In that case, it can destroy most of the files on the hard drive, rendering the computer useless until the operating system is reinstalled.

The worm not only changes its message subject each time it infects, but each copy of the message is different from every other copy.

This is achieved, according to ICSA.net, part of the GartnerGroup of Companies based in Stamford, Connecticut, because "the worm uses a space-algorithm to pad comment lines in the VBS (Visual Basic Script) code, causing copies of the worm to lack identity with their progeny and siblings."

ICSA advises corporations and organizations to disable e-mail gateways until 3-mail containing .vbs attachments can be effectively filtered and quarantined.

Recovering deleted files

Home and individual users of Microsoft Outlook should not open forwarded messages containing attachments of any type, ICSA says.

With regard to recovering deleted files, ICSA says it will be very difficult. The infected files are overwritten by the virus and are recoverable only by restoration from backup.

Anti-virus companies are hoping that increased awareness prompted by the "Love Bug" will temper the spread of the new strain.

"Any time a virus hits a week after another virus its potency is diminished," said Perry. "People tend to be a little more cautious."

The "Love Bug" virus -- a strain different from the new and potentially even more destructive worm -- spawned at least 25 copycats with varying levels of destructiveness. Computer Economics, a Carlsbad, California-based research company, estimated that "Love Bug" and its variants caused $6.7 billion of damage.

The virus forced many businesses and government agencies -- from the Pentagon to Britain's Parliament to major companies such as Ford and Lucent -- to take down computer networks for protection and repair.

The Associated Press contributed to this report.

May 19, 2000
Web posted at: 11:10 p.m. EDT (0310 GMT)

(CNN) -- While a new and potentially more destructive computer virus uses the same replication scheme as the "ILOVEYOU" virus, the new bug's ambitious destruction program may curb its spread and eventually cause it to fizz out on its own, according to one computer expert.

Mikko Hypponen, director of virus research at anti-virus company F-Secure in Finland, said that while this virus -- dubbed "NewLove" -- can make a computer unbootable, it is not nearly as stealthy as "ILOVEYOU." The new computer worm is much less widespread than previous outbreaks and has built-in problems that will eventually make the virus expire on its own. A worm is a virus that is self-replicating.

"Unlike the original 'ILOVEYOU' virus, this one appears to have started, at least in significant part, in the United States rather than spreading from Asia to Europe to the United States," said Michael Vatis of the FBI's National Infrastructure Protection Center.

U.S. federal sources said they would not rule out that the same people involved in launching the "ILOVEYOU" virus a few weeks ago may have been involved in this one.

Officials said apparently no U.S. government computers have been affected. Warnings were disseminated before the start of business Friday. "Hopefully, that will minimize the effects," said one federal government source.. "But it's too early to say what the impact has been or will be."

Despite its name, "NewLove" is not very similar to "ILOVEYOU," also known as Love Letter or Love Bug. The two are written in the same computer language, and Hypponen said the e-mail replication loop -- how the virus sends itself out to everyone in the user's Outlook address book -- is the same. Despite that, they are two different viruses.

"Otherwise, it's totally new code. But there's a common idea," Hypponen said.

Like the Love Letter virus, it only affects users of the Microsoft Windows 98 or 2000 operating systems, or Windows 95 users also running Internet Explorer 5.0. The virus also needs Microsoft's Outlook mail program to proliferate. The consumer version, Outlook Express, is not affected.

Rather than the same subject line each time, "NewLove" is polymorphic. Each time, it takes the name of a recently accessed file on the user's machine and uses that name, along with "FW:". This can work much better than "ILOVEYOU," because users can't be on the lookout for a specific subject line. Instead, the subject line may be a file name that is trusted -- especially among co-workers.

"It's really quite clever," Hypponen said. "It uses realistic file names and sends those to people you know. It's social engineering, just like we saw with Love Letter."

After replicating itself, the virus begins obliterating files. While Love Letter destroyed only JPEG image files, NewLove targets every single file on a user's hard drive. The worm will go through all local drives and all subdirectories. For each file, the worm creates a new file using the same name with the additional extension ".vbs" and deletes the original file. The new file is empty, effectively destroying all data on the machine. Then it does the same to networked hard drives, common in a company atmosphere.

The virus only does this to files for which the user has "write" permission, and files that are not currently in use. Still, it immediately makes the computer crash and become unbootable.

As frightening as that may be for users, it is also NewLove's downfall, Hypponen said.

"It's too destructive to become widespread," he said. "When you get hit by Love Letter, you may not notice it. The next time you hear about it is when someone calls you up and complains. But with NewLove, you open the attachment and immediately your machine crashes and won't boot again.

"It's never going to go around like Love Letter," he said, "because it's so obvious."

After being urged for more than one year to make Outlook less risky, the company is expected to offer a software patch next week.

"They've really done a 180 on this," said Chris Le Tocq of the Gartner Group. "The new fix that they have in Beta right now for Outlook completely removes programmability except as manually authorized in each case by the user.

"And this will break, frankly, a large number of corporate applications, but for the general user this is the right thing to do," he added.

Another quirk in the code can also limit how far NewLove gets around. Each time the virus replicates, it adds junk lines to its code. This, Hypponen said, is to keep the file size changing and make it more difficult to detect. However, NewLove only keeps adding junk lines to itself; it never takes them away. So every time it replicates, it grows.

Once the file size gets huge, slowdown and company limits on attachment size would stop the virus in its tracks.

"Eventually, it'll become 10 megs, 100 megs, 1 gig," Hypponen said. "It'll kill itself off. It becomes too fat."

Hypponen's predictions have so far been borne out by the lack of infection reports.

"We haven't received a single direct report of being infected," he said. "We've received secondhand reports from partners in the industry, but the total (companies infected) are 10 or 11." Those reports have been in Israel, central Europe and the United States.

But at each company, many computers could be affected and all data lost. At one firm, 5,000 computers were infected, according to Dave Perry, a spokesman at the anti-virus software company Trend Micro Inc. in Cupertino, California.

But now, Trend Micro is downplaying the total outbreak, saying it's not nearly as bad as expectations.

"It has hit a handful of companies," said spokeswoman Kristin Zoega, "but it's definitely not as widespread as Love Letter was."

As of late Thursday night, another anti-virus company, Symantec, reported three to nine companies had been hit. This is not even a drop in the bucket compared to Love Letter, which crippled mail servers and destroyed image files at tens of thousands of networks around the world just several weeks ago.

Love Letter spawned at least 25 copycats with varying levels of destructiveness. Computer Economics, a Carlsbad, California-based research company, estimated that the virus and its variants caused $6.7 billion of damage.

Hypponen expects variants on this virus, too. "Perhaps one that won't increase its size so much," he predicts.

Existing anti-virus updates against Love Letter are unlikely to affect this new virus. Hypponen suggests instead that users uninstall Windows Scripting Host, the program that allows VisualBasic scripts to run. Hypponen has detailed instructions on how to do this on F-Secure's Web site.

He said that "99.5 percent of users have no need for Windows Scripting Host. But a whole bunch of virus writers use it. I rest my case."

contributed to this report.